An unknown company's four-year campaign to sue hundreds of companies for offering encryption on their websites shows no signs of abating, with Intel, Yelp, and MovieTickets.com being targeted in the past month, court records show.

The patent infringement complaints, which have also named Google, Apple, eBay, and Expedia, claim that Marshall, Texas-based TQP Development is entitled to royalties for the companies' use of the secure sockets layer and transport layer security protocols. Together, SSL and TLS form the basis for virtually all encryption used to authenticate websites and to encrypt data traveling between them and end users. The lawsuits assert US Patent No. 5,412,730, which is titled "Encrypted data transmission system employing means for randomly altering the encryption keys."

Court records indicate that TQP has sued hundreds of companies since 2008. At least 100 of those organizations have been named in the past 12 months, indicating that the campaign is only gaining steam. A variety of them, including one against Apple, were later dismissed after reaching confidential settlements. A separate case, filed against TD Ameritrade, was dismissed on August 28, two weeks before a jury trial was scheduled to begin.

The strategy is common among "patent trolls," a term critics apply to people or companies who extract money by asserting questionable patents covering widely used technologies.

"Their business model is not to go to trial and potentially risk the validity of the patent for any one particular defendant," Jim Denaro, a Washington, DC-based attorney for the CipherLaw Group, told Ars, referring to TQP. "The business model is based on the fact that the cost of defending a lawsuit and the risk of a large damages award as a result of being found to infringe a patent is so high that it's worth paying a perhaps substantial sum of money in order to extricate yourself from that lawsuit. When you scale that up to hundreds of companies there's quit a bit of money to be made." Denaro said he isn't representing any parties involved in any of the cases.

"If there is some kind of attack that is known and there is some kind of vulnerability to the alternative ciphers, that would make them perhaps completely unsuitable for continued commercial use," Denaro, who recently blogged about the patent infringement cases here, said. "That would be a good argument to suggest that there really are no practical alternatives to RC4 and that would increase the value of the patents going forward once that vulnerability becomes known."

Attorneys for TQP didn't respond to a phone call seeking comment for this post.

Promoted Comments

Another non-practising entity suing everyone for a patent they're never going to implement in a shipping device or application.

If this is upheld (and I really hope it isn't), can this company and all people associated with it be sued and held personally responsible for any flaws in their method that lead to security breaches? After all, if they're going to claim benefit they should be responsible for issues.

I'd love to see a winding down of the entire concept of software patents. Sadly given how much money is at stake, it'd cost the US government many hundreds of billions of dollars to compensate companies for devaluing their patents, so I don't think any change will come soon.

Considering the government's own use of SSL, most likely including the USPTO for some purposes, how many lawsuits does this company have pending against them??? If the court they try the case at has its own website that uses SSL, are they going to sue the court too?

It seems like a strategy targeting 100 companies simultaneously would backfire if your goal is to settle rather than go to court. Those companies could band together and share legal costs to fight the patent's validity. I'm surprised this hasn't happened, unless their patent really is solid and they have a valid claim.

RC4 was invented by RSA in 1987 (which predates the patent filing mentioned earlier), and was not patented by the RSA. It was considered a trade secret. It (the algorithm) was then published into the public domain in 1994. The name "RC4" is trademarked, but it says that it is commonly referred to as "ARC4"

Okay, can we please stop this now? Tech companies are close to spending more resources in court than in the lab. Why are we doing this?

/rageface

The short answer is "because there is money to be made by doing this". It's pretty much the same rationale behind most human behaviour (such as the manufacture and sale of landmines, for example). Whether or not that's a good enough reason is open to question.

Uhhh last I checked, TLS and SSL are IEEE standards. How does someone get a patent for that? Is it some specific implementation of it or something? Does this mean I owe royalties from that project I did back in school that implements TLS? Can someone just nuke these patent trolls from high orbit already? The patent office really needs to get their heads screwed on straight because this is just going from laughable to ridiculous to runaway train.

Another non-practising entity suing everyone for a patent they're never going to implement in a shipping device or application.

If this is upheld (and I really hope it isn't), can this company and all people associated with it be sued and held personally responsible for any flaws in their method that lead to security breaches? After all, if they're going to claim benefit they should be responsible for issues.

I'd love to see a winding down of the entire concept of software patents. Sadly given how much money is at stake, it'd cost the US government many hundreds of billions of dollars to compensate companies for devaluing their patents, so I don't think any change will come soon.

Is there no FRAND for something like this? Seems like there should be.

Quick lesson on IP: standards bodies like ITU, IETF, etc, are made up of working groups who each work on one or more standards. These working groups are comprised of members (usually companies) who are stakeholders in the standard. In order to join such a working group, the members sign a pledge that if the eventual standard incorporates any of their IP, they will a) make it available free, b) license it under FRAND terms, or c) transfer the IP to the standards body for management/enforcement/licensing (a, b, or c depends on the particular body and working group).

Now, if I invent an amazing technology and patent it, and then some standards body comes along and builds a standard on it, I haven't made that pledge. And there is no eminent domain for IP for standards -- there's no mechanism for government or a standards body to seize my IP, or to force me to adopt FRAND licensing terms, or any of that.

That said, for anything like SSL/TLS, it seems fairly likely that prior art can be found. But that's armchair speculation on my part, and certainly the companies in question have more incentive and more funding to look for it than I do.

I wish something like this would have more effect on software patents as a whole. Having companies like Apple settle just fuels the fire.

It does, and that's because Apple et. al. would rather settle and tolerate patent trolls than take any course of action that might threaten software patents in the US. They rather like being able to use them as clubs with which to beat their competitors, and any course of action that would eliminate the trolls would necessarily eliminate their ability to attack with them.

I suspect that any real push to abolish software patents would be met with opposition from them and others.

I wish something like this would have more effect on software patents as a whole. Having companies like Apple settle just fuels the fire.

It does, and that's because Apple et. al. would rather settle and tolerate patent trolls than take any course of action that might threaten software patents in the US. They rather like being able to use them as clubs with which to beat their competitors, and any course of action that would eliminate the trolls would necessarily eliminate their ability to attack with them.

I suspect that any real push to abolish software patents would be met with opposition from them and others.

"If there is some kind of attack that is known and there is some kind of vulnerability to the alternative ciphers, that would make them perhaps completely unsuitable for continued commercial use," Denaro, who recently blogged about the patent infringement cases here, said. "That would be a good argument to suggest that there really are no practical alternatives to RC4 and that would increase the value of the patents going forward once that vulnerability becomes known."

That's not a good argument at all, there are many perfectly practical alternatives to RC4.

We only use a handful of crypto algorithms because they are the ones that were invented decades ago and we are intimately familiar with their strengths and weaknesses.

There are many alternatives, some of them 30 years old, that are actually superior, but what we're using is good enough so why switch?

If we actually have a reason to stop using AES and RC4, such as if a new vulnerability is found or it infringes on someone's patents, then the whole industry will quickly jump to a new standard. In fact, in many cases these new standards *were already defined years ago* and they're just sitting around waiting for a time when we need them.

Browser manufacturers could ship an update tomorrow with support for ECC encryption, and it wouldn't take long for servers to also start rolling it out on their end. ECC is almost 30 years old and is more secure and faster than the SSL we have today (compared to prime factorisation it has smaller keys, simpler math if you know the key, harder math if you don't know the key).

I seem to have understood this differently to other people here. My reading is that it's not the process of encrypting that's being patented but that the encryption key has been randomised so that it's different each time there is a desire to communicate.

Basically it looks like you have two people who want to communicate have the same random number generator and the same random seed. As these two communicate the random number generator is being incremented in sync. The security aspect seems to come from the chance of an evil third party having the same seed for their random number generator as really small.

If my understanding is correct then any public key system would safe from this patent as the encryption key is fixed and not changing in a random manner for each communication. Don't most encrypted web communications use public keys these days?

I seem to have understood this differently to other people here. My reading is that it's not the process of encrypting that's being patented but that the encryption key has been randomised so that it's different each time there is a desire to communicate.

I think it's more than that, I think it also depends on specifically *how* you generate the random number and share it with the person on the other end.

FatAndrew wrote:

The security aspect seems to come from the chance of an evil third party having the same seed for their random number generator as really small.

It's not "really small". A mouse next to an elephant is "really small". This is more like a single atom next to an object ten times bigger than the whole universe.

FatAndrew wrote:

If my understanding is correct then any public key system would safe from this patent as the encryption key is fixed and not changing in a random manner for each communication. Don't most encrypted web communications use public keys these days?

All web communication uses public keys, but they are extremely slow so traditionally they are only used to encrypt/share a random number that is then used to seed something like AES or RC4.

You don't want to encrypt 10KB of data with current generation public key crypto. That would be crazy. Instead, you use public key crypto to encrypt a 0.13KB private key and then use private key encryption to encrypt the 10KB of data.

There are alternatives, such as ECC, which is a public key algorithm that is fast enough on it's own and it would be better to use that, but nobody is doing it yet because the industry is notoriously hostile to changing anything, unless there is actually a good reason for it.

It may be an industry standard but it was designed by someone. Why shouldn't that person or company be entitled to protect their IP?

How much you want to bet it wasn't designed by these people. I would go so far to even say it wasn't even "designed" in the fake bullshit sense. This is a purely bogus patent, much like 98% of patents.

Since they own the patent on SSL (allegedly), wouldn't that mean they would also be liable for any brokeness in the design? So, if MS or Google or Amazon suffer any losses from it, then the company would be liable? Or would it only be in the implementer, assuming they can prove broken implementation and not "broken by original bad design"?

Wishful thinking, but that would be nice to see them hoist on their own petard.

Another non-practising entity suing everyone for a patent they're never going to implement in a shipping device or application.

If this is upheld (and I really hope it isn't), can this company and all people associated with it be sued and held personally responsible for any flaws in their method that lead to security breaches? After all, if they're going to claim benefit they should be responsible for issues.

I'd love to see a winding down of the entire concept of software patents. Sadly given how much money is at stake, it'd cost the US government many hundreds of billions of dollars to compensate companies for devaluing their patents, so I don't think any change will come soon.

Well, it's costing the economy billions of dollars each year to keep the system going. A short term investment to terminate the patent system, even though it is big, would be a huge boon for the US economy in general.

Another non-practising entity suing everyone for a patent they're never going to implement in a shipping device or application.

That's where the law should first change, banning software patents outright is probably too big a leap. But they could change it so that you actually have to be making (or in the process of making) the product that would use the patent.

Which actually goes back to the original purpose, protect the inventor for a short period so that they could build the invention.

I hate to say it, but the patent reads so vaguely that it probably is valid simply by covering the basic steps describes. The problem is that the patent impacts on a combination. Mixing RC4 with SSL would likely follow the patented pattern of behaviour so, at a glance, this particular troll has a meat club to beat others with. Unfortunately, I don't see anything described which would invalidate the patent. SSL was itself published after the filing date of this patent and there would be no prior art previous to SSL of note.

The timing of the litigation is not by accident. It's pretty clear that the patent holders never bothered enforcing the patent until around 2008, and then only in part. With the patent due to expire, the 6 year lookback is being used to milk profits out of the patent while it's still possible.

God, I hate vague patents... All SSL does is mix it's own approach with one of several encryption algorithms but that mix (part. with RC4), while perfectly obvious now, was indeed patentable back in 1992 before SSL showed up. That appears to be the trigger for the massive onslaught of these patents in 2012 by TQP - in Sep 2011, the BEAST attack made RC4 necessary. Before 2012, the use of RC4 was not essential so their damages would be less and infringement likely not so clearcut.

The other issue is that SSL is not owned by anyone per se. It's an industry standard - all actors adopt it voluntarily so all are equally capable of being sued if they implement it. TQP are acting lawfully with a genuine patent. I just wish the patent wasn't possible given it's a basic iteration of swapping data for encryption needs (Diffie Hellman key exchange algorithm is dated back to the 1970s afterall) - these guys had to wait until 2012 for circumstances and the correct planetary alignment to make the likes of Google and Apple worthwhile targets. It reeks of opportunism.

Another non-practising entity suing everyone for a patent they're never going to implement in a shipping device or application.

If this is upheld (and I really hope it isn't), can this company and all people associated with it be sued and held personally responsible for any flaws in their method that lead to security breaches? After all, if they're going to claim benefit they should be responsible for issues.

I'd love to see a winding down of the entire concept of software patents. Sadly given how much money is at stake, it'd cost the US government many hundreds of billions of dollars to compensate companies for devaluing their patents, so I don't think any change will come soon.

I agree with most of this, but why would the US government be obligated to compensate anyone for "devaluing patents"? As much as some people love to use the term "intellectual property", patents are not really property. They're transferable monopoly rights, so in some ways they behave like property because they have economic value and can be traded around, but that doesn't actually make them property.

People have been trading MMO game money for real money for years. It's transferable and has economic value, but the game developer has no obligation to compensate players for the loss of that in-game money if they decide to shut down the game servers (or hyperinflate the in-game economy by dumping huge piles of loot from weak monsters). Like in-game MMO money, patents are things that only have value because of particular artificial rules regarding their effects and behavior. These rules are subject to change, by game devs or by the Patent Office+Congress. The Patent Office could change the rules to anything they want allowed by patent law, and Congress can change the patent laws to whatever they want as long as it's allowed by the Constitution (so they couldn't, for example, give patents an unlimited duration), and I don't see any legal reason why they would need to pay anyone for their "losses". Political backlash might be a different story, but I see no direct obligation for compensation.

EDIT: Also, the Constitution grants Congress the power to create patent laws, but not the obligation to do so. Congress could eliminate patents entirely, and it would not be unconstitutional.

Love my job, since I've been bringing in $5600… I sit at home, music playing while I work in front of my new iMac that I got now that I'm making it online(Click on menu Home)

Wow... Just, wow... Spamming the ARS community like this is just amazing. Not only does this comment have nothing to do with the article, but it is also a blatant spam message. Do you think ARS readers are going to fall for this?

... it'd cost the US government many hundreds of billions of dollars to compensate companies for devaluing their patents, so I don't think any change will come soon.

Well, it's costing the economy billions of dollars each year to keep the system going. A short term investment to terminate the patent system, even though it is big, would be a huge boon for the US economy in general.

Why is it necessary to pay the companies? A law changed that affects the way they do business, this happens all the time. Tax laws, environmental restrictions, minimum wage, etc...

I agree with most of this, but why would the US government be obligated to compensate anyone for "devaluing patents"? As much as some people love to use the term "intellectual property", patents are not really property. They're transferable monopoly rights, so in some ways they behave like property because they have economic value and can be traded around, but that doesn't actually make them property.

People have been trading MMO game money for real money for years. It's transferable and has economic value, but the game developer has no obligation to compensate players for the loss of that in-game money if they decide to shut down the game servers (or hyperinflate the in-game economy by dumping huge piles of loot from weak monsters). Like in-game MMO money, patents are things that only have value because of particular artificial rules regarding their effects and behavior. These rules are subject to change, by game devs or by the Patent Office+Congress. The Patent Office could change the rules to anything they want allowed by patent law, and Congress can change the patent laws to whatever they want as long as it's allowed by the Constitution (so they couldn't, for example, give patents an unlimited duration), and I don't see any legal reason why they would need to pay anyone for their "losses". Political backlash might be a different story, but I see no direct obligation for compensation.

EDIT: Also, the Constitution grants Congress the power to create patent laws, but not the obligation to do so. Congress could eliminate patents entirely, and it would not be unconstitutional.

-Kasoroth

What you describe is government confiscation of privately held assets. Hopefully that's a nonstarter in this country. We don't nationalize resources just because some people really, really want them.

Of course, I'm admittedly confused by the idea that patents are somehow bad. Under the patent system we live in an era of unparalleled progress. Throwing the system away on unproven dreams and wishes always seems a little silly to me. Very "entitlement generation" though.

What you describe is government confiscation of privately held assets. Hopefully that's a nonstarter in this country. We don't nationalize resources just because some people really, really want them.

Of course, I'm admittedly confused by the idea that patents are somehow bad. Under the patent system we live in an era of unparalleled progress. Throwing the system away on unproven dreams and wishes always seems a little silly to me. Very "entitlement generation" though.

There is no confiscation involved. The "asset" simply lost its value. You could consider an account (or some transferable subdivision of that account) on an MMO an asset. It's something that you can trade for money (and people do trade them for money). If the game developer shuts down their servers (or just changes it to make it impossible to transfer accounts), that would reduce or eliminate the value of that asset, but it is in no way a confiscation.

A patent is a government granted monopoly right. It exists at the government's whim, and can be altered or annihilated at the government's whim. The fact that the current rules regarding patents give them an economic usefulness doesn't change the fact that they are a government granted monopoly right, not a piece of property. You can call them "intellectual property" all day long, but it doesn't make that term any more technically accurate. It's a handy phrase for collectively referring to patents, copyrights and trademarks, and that's all it is.